Investigators stated
on Monday that someone from China or with connections to the nation was
responsible for a large amount of successful attacks on the U.S. Department of
Homeland Security (DHS).

Hackers compromised dozens of DHS computers, moving sensitive information to
Chinese-language websites. Congressional investigators made the
announcement Monday and called for a full-fledged Congressional investigation. The
FBI is concurrently conducting an investigation of the incidents.

Congress puts much of the blame on incompetence at security firm Unisys, who
the DHS contracted for security purposes. They feel Unisys's negligence
may even be criminal.

"The results of our [committee] investigation suggest that the department
is the victim not only of cyber attacks initiated by foreign entities, but of
incompetent and possibly illegal activity by the contractor charged with
maintaining security on its networks," said Democratic Reps. Bennie
Thompson of Mississippi and James Langevin of Rhode Island.

The attacks had gone unnoticed for months according to the Congressional
committee. How much information was stolen and how critical the stolen
documents were has not been ascertained, but the committee stated that the
attacks "took significant amounts of information."

"We know where it [the information] was taken from, but we don't know what
was taken. We only know how many megabytes was taken. Everything was on
the LAN A, which was an unclassified network. To the best of our knowledge
there was no classified information [taken]," said one DHS staffer.

The information was moved to a "web hosting service that connects to
Chinese Web sites."
Thompson and Langevin have written a letter demanding a full investigation and
have stated that "contractors provided inaccurate and misleading
information to Department of Homeland Security officials about the source of
these attacks and attempted to hide security gaps in their capabilities."

Thompson and Langevin's statements do not name the contractor involved, but the
Associated Press has learned that Unisys has a $1 billion contract to
safeguard DHS computers.

Unisys publicly disputed the allegations, which first broke Monday in a Washington Post article.

The Congressional committee stated that Unisys had been tasked to install
intrusion detection systems, which were not fully active at the time of the
attack. If the systems had been in place, the attack would likely have
been detected and dealt with.

Unisys did not directly respond to Congressional accusations, but instead chose
to respond to reports about the reports on the incident.

"Unisys vigorously disputes the allegations made in today's article,” said
the company in a statement. “Facts and documentation contradict the
claims described in the article, but federal security regulations preclude
public comment on specific incidents."

"We can state generally that the allegation that Unisys did not properly
install essential security systems is incorrect. In addition, we routinely
follow prescribed security protocols and have properly reported incidents to
the customer in accordance with those protocols."

DHS officials would not comment on these developments or Unisys's possible
criminal negligence.

They did make a statement that may indicate that they will be dumping Unisys
soon. DHS stated that they will be "re-competing" the Unisys
contract and other contracts "to integrate it into a single contract that
maximizes the tax payer's dollar."

Although Unisys can still compete for the contract, previous performance will
be weighed, said DHS spokesman Russ Knocke.

DailyTech reported
in June on early results of this investigation, which cited reports of over 800
break-ins and over 7000 detected security flaws in the DHS's systems.

The possible Chinese connection also follows closely on the heels of the DailyTech
story that broke
earlier this month which reported on the Pentagon's claims that China's PLA
hacked into Pentagon computers. Reports indicated that the attack was the
largest and most disruptive attack on the Pentagon in their history.

As the U.S. government departments face numerous threats at home and abroad,
from malicious hackers to incompetent security firms, they must constantly
rethink and rebuild their defenses. It is not easy being one of the
world's largest cyber targets.

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

Also depending on what you use to scan your network (we use MARS) you will find that there are LOTS of "flaws" that are not actual vulnerbilities or are located in an area of the network where they can't be exploited.

true, but a government agency is not a company; it handles sensitive data relating to citizens, possible criminal investigations, security clearance codes, and the like. the level of security must be higher than that of some company.

i wonder if the US government actually held a competition to find out who is best at providing security, or if they simply went with the lowest bidder. if the latter is true, then hey only have themselves to blame (and the hackers, of course).

Since when does the US Govt ever worry about going to the lowest bidder? They have the funds to get whatever they want, whenever they want. Im pretty certan the nation's national security measures are contracted to the best place, regardless of price.

LOL thats actually kinda funny um the Military takes lowest bidder regradless. Right now we have something like a 200 million dollar project in utter failure because the military esstinitally went for the cheapest route.

Yes, but if you look at it from the bigger picture $200million is chump change. That $200 million might have resulted in a failed product but it did result in R&D that can be used later. The F-35 is a good example, it was cheap and easy and R&D wasn't very costly. Why? Because it re-used most of the technology that was developed during the F-22 project and that sucker costs in the billions range. While not everything brings about a direct return on investment, everyone ususally does walk away with more than they had originally.

$45 billion from the US, UK, and other partner governments. It wasn't all the US's money. Course the F-22 was all the US's money, which was $62 billion for the program. That's not including the purchase of the aircrafts at $137 million a piece.

Remember, the military does not make their own rules for tendering and accepting contracts, but have to abide by those rules imposed on them by government accounting rules. I am all too familiar with these limitations having spent years trying to manage purchasing for and manufacture of prototype and production avionics systems. The rules are a result of every business and their dog trying to get a slice of the government pie. Plus throw in the senior staff who get kickbacks in the form of retirement employment etc and its a wonder any military purchasing project succeeds at all.

For those of you who don't know, Unisys is actually one of the big names in the telecom-security services out there, and one of their big businesses is secure phone lines for check clearing for financial services and banks. I doubt this is a case of bottom fishing for services, as Unisys probably is responsible for the security of transactions representing many billions of dollars a day and charges an arm and a leg for it.

Actually the govt goes for the lowest bidder quite often depending on the situation. I am an engineer for a government contracting company and we often times have to bid lower than we know is realistic so that we can win the contract. However, the program I am working on presently is a different situation. The branch of the military that is funding my current project has extra money that must be spent to justify their budget, therefore we get to take our time and spend lots of money to build a really great product. We call this a "cost plus" situation. As an engineer I really have no interest in these polotics and finances, but you pick it up a bit along the way.

The "lowest bidder" scenario is completely dependent upon the number of firms out there who are capable of completing the work prescribed and producing the specified product/service, whatever that may be.

If all we need is a new model widget that is low tech, mass produced and I used to pay $49.99/unit for it, then yes, we use the lowest bidder.

If it's a new laser designator/tracker for the F/A-18, then we're going to with Boeing, who built the aircraft, has done, due to contractual obligations, all of the engineering on all aircraft mods and improvements and knows the systems from the inside and out. This ensures that we get the right product the very first time, with an absolute minimum of headache. Do we pay more for the final product? Yeah, almost surely. But there are costs associated with the bidding process as well, and those are avoided, as well as post manufacturing problems with actually using the thing that most assuredly would occur.

And there are an unbelieveable number of checks and balances in the procurement system to keep everyone honest, and the penalties are very, very severe.

I can understand the cynicism, but being on the inside, working these issues, sitting in on countless meetings and having to push to get funding, I know how it really works. It is ridiculously, ludicrously difficult, with so many boxes to get checked off that ensure legality and impartiality that I am truly amazed that anything ever actually gets purchased.

For clarification purposes, there are other companies that we do contract with for those types of products/services, like Raytheon, Honeywell, etc., but very often they are involved with the acft maufacturer in the first place, and already know the systems.

Funny like they ever care about the lowest bidder. More than likely they went with the friend of the guy who was responsible for the contract, or some other ex goverment guy that used the old revolving door to get him a good VP job at Unisys in return for the contract. Happens all the time.

Actually, you are 100% right, retrospooty. That is the usual thing and reason why a company with a piss-poor on non-existant track record in a business gets the contract from the government: either they gave money to the politicians or people who are giving the contract out or they have a son or daughter/some other family member of the person giving out the contract in their company.

Having a former CEO and chairman currently occupying the vice-position of a high level government office also helps you land lucrative contracts without requiring the usual time-wasting bidding process.

As we see, all it takes is once success though... Though frankly, despite the otherwise good track record, I think the main issue is the possibility that Unisys possibly lied to cover up their mistakes when this break in occured... Honesty is always the best policy, partiularly when it comes to investigating how a breakin like this happend. Sure it was all unclassified materials this time, but what could be taken next time around had the cover up been successful and no steps were taken to prevent this kind of thing from happening again in the future?

Classified networks have no regular external connections and are extremely difficult to break into. Unclassified data is useful but not particularly important. I have 2 machines, one classified and one unclassified, they are on two completely separated networks. Basic internet is unavailable on the classified systems, and there are no Floppy/CD/USB drives/ports available to plug anything in either.

quote: Classified networks have no regular external connections and are extremely difficult to break into. Unclassified data is useful but not particularly important. I have 2 machines, one classified and one unclassified, they are on two completely separated networks. Basic internet is unavailable on the classified systems

That's reassuring, and makes me think claims of Chinese capabilities to completely disable our critical communications networks isn't quite so serious. They can knock down Google, America can survive for perhaps 6 hours without Google (8 at the maximum), but at least it sounds like a first-strike that cripples the government is unlikely.

Satellites not included, of course. It's always mentioned how vulnerable they are, but I'd hope/assume we arent 100% reliant on them either.

Just becuase gov says that nothing classified was taken is a loads of bull. They will never agree of their mistake and also probably Bush knows this Unisys people that's why they must have gottent the contract in the first place. Now that the gov knows that Unisys screwed up how come i am not hearing that they terminated their contract and went to another comapny and also sued UNISYS for criminal activities.

quote: They will never agree of their mistake and also probably Bush knows this Unisys people that's why they must have gottent the contract in the first place.

Everytime there is a government or related to government screwup its all Bush's fault >.> Get over it guys. You are seriously overstating the power of the president. In the case of contracts its exclusively a Congressional matter usually with MITRE tacked in as well.

Yeah right, the Iraqi adventure,will be seen as enlightened policy from an intellectually incapable President and his mendacious deputy.The Bush/Cheney presidency's moral capital is akin to that of a sub-prime mortagage. Neologistic? I doubt it.